Symantec Critical System Protection and how is it different from Symantec Endpoint Protection
Lately there have been many inquiries why we need SCSP when we have SEP and what is the Difference between SCSP and SEP or why should people buy SCSP.
1. SCSP has Comprehensive Host Intrusion Prevention policies whereas Sep has focused HIPS Policies.
2. SCSP has better control over Applications whereas in SEP Application control it is limited.
3. SCSP has more control over Device you can block devices for Application, users or Groups but in SEP you can either block or Unblock a Device.
4. SCSP gives priority to specific application than general rules however in SEP precedence is based on sequence of the policy.
5. SCSP focuses on Zero-day Exploits and in Depth Application Control, SEP is focused on USB control and blocking an application.
6. Most Importantly here are things we cannot do with SEP but only using SCSP for better Prevention and Detection:
• Prevention
– Windows Exploit Protection
• Windows Buffer Overflow protection
• Thread Injection protection
• Block executable file changes, OS changes,
– Sophisticated Prevention policies
• Broad zero day protection - would require man-years to build from scratch
• Protection covers all applications – even ones not identified in the policy already
– Fine-grained control over USB and External Device usage
• Usage control by program, user, group, arguments or combination of the above
• e.g. Backup Exec to write to a CD-Writer – all other programs can only use as a CD-ROM
– User override of System Lockdown
• Admins/users can be allowed to turn off protection for system maintenance tasks
• Override can be set to allow/disallow changes to SCSP
– High speed network protection designed for servers - lower system impact
– Broader platform coverage
• Windows NT to Windows 2003
• Solaris and Linux protection
• Detection
– User-mode monitoring/auditing features
• SCSP’s does not require a kernel mode driver (i.e. less invasive, no reboot)
– Monitoring policy types
• Registry monitoring – registry key change detection
• File monitoring - File and directory change detection
– Includes file diff to identify configuration file changes
– Checksum monitoring to identify changes that may have occurred while the application was off (e.g. booted from a disk)
• Event log and syslog monitoring – find system, security and application events, such as user logons, privilege escalation, etc.
• Text log monitoring – find events from application or other text logs
– Reoccurance –
• Multiple events within specific time frames
• e.g. X logon failures within Y minutes or logon followed by user rights change
– Remote monitoring of other systems’s events (e.g. mainframe)
– Run actions in response to detected events
• Kill user session,
• Terminate process,
• Run a script/application